[arch-security] Subscription to OSS-security linux-distros

Mark Lee mark at markelee.com
Thu Jun 5 23:23:56 EDT 2014


To All,

There is an Arch security team, but they don't necessarily have developer
access. The strategy is to current report to the arch-security mailing list
and file a bug report. I'd just like to know if security issues that are
reported are already fixed (since there is a delay for non-distro
subscribing lists). Could developers file any security changes they make in
the arch-security mailing list as well then?

Regards,
Mark


On Thu, Jun 5, 2014 at 7:13 PM, Daniel Micay <danielmicay at gmail.com> wrote:

> On 05/06/14 05:36 PM, Allan McRae wrote:
> > On 06/06/14 05:14, Mark Lee wrote:
> >> To All,
> >>
> >> There are several linux-distro subscription requests on the oss-security
> >> mailing list, and some bugs are disclosed first on that mailing list. I
> >> just want to be sure that Arch Linux is getting this expedited
> >> notification of bugs. Are you still on it Allan?
> >>
> >
> > Yes - I pass on the worst (or at least let people know the public
> > release dates if not the details).
> >
> > A
>
> There's not much we really can do to prepare since we're unlikely to
> have anything to backport. The work to backport to the stable release
> will already be done for anything important enough to go through an
> embargo. A restriction on disclosure for 7 days just means we'll get the
> fix 7 days later.
>
> The important issue here is that there needs to be enough interest in
> security by developers and trusted users to prioritize these package
> upgrades even if it's not a package they maintain, because the
> maintainer might not be around.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140605/7164912e/attachment-0001.html>


More information about the arch-security mailing list